Thursday, December 18, 2014

OS X PowerPC Security Holes Katy Perry Kate Upton Chili Hot Dogs!!!

Given that Leopard and below are no longer supported by Apple, it's reasonable to expect security holes to pop up every now and then, and though Apple will never officially patch them, us PowerPC users can at least come up with the necessary workarounds. The only problem is, news of these vulnerabilities is a bit scattered, so I wanted to put up one post that's a compilation of all the security holes you should be aware of when running OS X on PowerPC--hence the clickbait title, I want everyone to see this (sorry Katy Kate fans). This post will also be linked on the right and updated as more security exploits are discovered.

Here's the big list, and honestly, this is mostly about linking to posts on Cameron Kaiser's TenFourFox Development blog since he wrote the bash replacement below and knows just as much as anybody:

1) Yes, the bash that comes with your PowerPC Mac is compromised. Cameron Kaiser was nice enough to build a new version) that fixes the security flaw so us PowerPC users can rest easy (also works for Snow Leopard).

2) SSLv3 is no longer safe. The solution here is to update TenFourFox and Tenfourbird to their latest versions which disable SSLv3. Webkit browsers that depend on the system SSL libraries remain vulnerable (UPDATE: leopard-webkit now disables SSLv3 as well).

3) Certain versions of OpenSSL have a hole. Older OpenSSL-based libraries bundled with Tiger and Leopard are not vulnerable to this specific bug, but if you have versions 1.0.1 to 1.0.1f installed on your system through Macports or Homebrew/Tigerbrew, you'll want to update to the latest version.

4) That handy tool sudo, giving you root access from the command line, is vulnerable to an exploit. Check this post for the solution and also look down to the comments on how to use nano to correct it in case vi is a mystery to you.

As said, this post will be continually updated with developing news. Hopefully the list won't get too long. ;-)

UPDATE I:

And I've been informed of yet another one. The Diginotar SSL certificate is compromised. This was back in 2011 and was the first time Apple released a security update that didn't include PowerPC, so maybe that's why I blocked it out. Follow the step-by-step instructions at $ ps | Enable (their mpkg automator didn't seem to change things for me) to clear your system. This flaw only affects you if you use Safari or another browser that accesses your system's SSL certificates. It does not effect TenFourFox.

UPDATE II:

Via TenFourFox Development again, there are potential vulnerabilities in OS X's ntpd (Network Time Protocol daemon). This is used when you sync date and time automatically with Apple's time server in the Date & Time System Preference. I say potential because the typical user won't find themselves vulnerable, but people using ntpd in more elaborate ways should read the referenced blog post. A new version compiled for PowerPC is linked there for download.

UPDATE III:

Time to get your FREAK on! That's FREAK for "Factoring Attack on RSA-EXPORT Keys." Once again, if you're using TenFourFox you're not vulnerable, but Webkit users are. The comments on this post seem to indicate that (as of 3/8/15) development on Leopard Webkit is continuing and an update that ultimately plugs the hole may be arriving soon.Leopard-webkit has now been updated to plug this hole.

UPDATE IV:

This one's called Darwin Nuke and in theory can enable an outsider to trigger kernel panics on your system. I say in theory because Cameron Kaiser reports he's unable to trigger a successful attack against his PowerPC systems. However, since the vulnerable code does exist in the Tiger and Leopard kernels, it's safest to disable all incoming ICMP traffic on your router's firewall. On my Linksys router, this was already disabled by default with the Security --> Firewall setting, "Block Anonymous Internet Requests". If you don't see anything comparable on your router, google your router's brand and "disable ICMP". ICMP is used by network administrators for troubleshooting purposes, so the average user doesn't need it, anyway.

UPDATE V:

Run this RootPipeTester tool to see if you're vulnerable to something called systemsetupusthebomb. Read in detail at TenFourFox Development, but the short version is you should open your Security preference pane and check "Require password to unlock each secure system preference" (wording may be slightly different on Leopard), and you'll be secure against all known attacks. For an even more airtight solution, rename your writeconfig file according to the instructions Cameron Kaiser laid out on the linked post above.

4 comments:

Thanks for this info. Really good stuff. I linked to it from G5Center to help spread the word. The last bit was something I had vaguely remembered happening too, but I don't think I had done anything about it. Excellent information.

Here is another good security suggestion for people. If any uses ssh to access their Linux or OS X systems remotely a good practice is to use ssh public keys vs password authentication. This tutorial is a good place to start it works for both Linux and OS X:

https://help.ubuntu.com/community/SSH/OpenSSH/Keys

A few changes for OS X, not do you have to set these to yes:

RSAAuthentication yesPubkeyAuthentication yes

You also need to set these to no:

# To disable tunneled clear text passwords both PasswordAuthentication and# ChallengeResponseAuthentication must be set to "no".PasswordAuthentication no#PermitEmptyPasswords no

# Change to no to disable s/key passwordsChallengeResponseAuthentication no

Then to reload sshd in cli just do this:sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist

sudo launchctl load /System/Library/LaunchDaemons/ssh.plist

I have verified this works in Yosemite it should work in Tiger or Leopard.

Actually the latest versions of Leopard WebKit include certificate updates. Also OpenJDK doesn't fix the java vulnerability as it runs in X11 separate from the official apple java, in fact it doesn't even support Web Start.